Closed Bug 1667680 Opened 5 years ago Closed 5 years ago

[warp] Assertion failure: script->length() <= JitOptions.ionMaxScriptSize, at jit/TrialInlining.cpp:42

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- unaffected
firefox82 --- disabled
firefox83 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

testcase
58.59 KB, text/plain
Details
Bug 1667680 - Fix assertion to account for --ion-limit-script-size=off testing flag. r?iain!
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase

See attached testcase.

(gdb) bt
#0  0x0000555557dc25ca in js::jit::DoTrialInlining (cx=0x7ffff6927000, frame=0x7fffffffb550) at /home/skygentoo/trees/mozilla-central/js/src/jit/TrialInlining.cpp:42
#1  0x000030b3aaeb4c35 in ?? ()
#2  0x00001f1b946771f0 in ?? ()
#3  0x00007fffffffb528 in ?? ()
#4  0x0000000000000008 in ?? ()
#5  0x0000555558d3ea10 in js::jit::vmFunctions ()
#6  0x000030b3aaf72107 in ?? ()
#7  0x0000000000006021 in ?? ()
#8  0x00007fffffffb550 in ?? ()
#9  0xfffe313f74700828 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f5f7119a80ac
user:        Jan de Mooij
date:        Wed Sep 16 11:15:42 2020 +0000
summary:     Bug 1664786 part 6 - Limit total bytecode size when trial inlining. r=iain

Run with --fuzzing-safe --no-threads --fast-warmup --warp --ion-limit-script-size=off, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev cb8232ebe212.

I doubt this is s-s but I'll let Jan/other devs make the decision.

Flags: sec-bounty?
Flags: needinfo?(jdemooij)
Flags: needinfo?
Flags: needinfo?

A bogus assertion. Some limits don't apply with --ion-limit-script-size=off (a testing configuration) so the code shouldn't assume they're there.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)

Set release status flags based on info from the regressing bug 1664786

status-firefox81: --- → unaffected
status-firefox82: --- → affected
status-firefox-esr78: --- → unaffected
Severity: -- → S3
Priority: -- → P1
Group: core-security → javascript-core-security
Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8e4778c34026 Fix assertion to account for --ion-limit-script-size=off testing flag. r=iain

https://hg.mozilla.org/mozilla-central/rev/8e4778c34026

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

== Change summary for alert #27122 (as of Sat, 03 Oct 2020 03:28:54 GMT) ==

Improvements:

4% build times linux64 debug base-toolchains-clang taskcluster-m5.4xlarge 1,499.33 -> 1,442.72

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=27122

Flags: sec-bounty? → sec-bounty-
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: